Configuring a GPO to permit a MMC snap-in that is not available in the list of “Restricted/Permitted snap-ins” provided by the default Microsoft Management Console policy setting

Problem

There are situations where an existing GPO is configured to restrict users from launching the MMC and the available snap-ins for non-administrative users to enhance security. To achieve this, an administrator can create a GPO with the following settings:

User Configuration > Administrative Templates > Windows Components > Microsoft Management Console > Restrict users to the explicitly permitted list of snap-ins: Enabled

86

Re-enabling select MMCs are fairly straight forward as a list of consoles are provided in the sub folder: Restricted/Permitted snap-ins

85

As the list provided in the default Group Policy ADM only includes default Windows Server snap-ins, attempting to add a MMC such as the following SQL Server 2919 Configuration Manager would become a problem:

84

Solution

There are two methods to address this issue. The first is to create a custom ADMX file and import it into Active Directory and the second is to apply the registry key that a custom ADMX would. This document serves to demonstrate the latter method as it is simpler for one-off configurations. To achieve this, we will need to create a GPO that will create a [HKCU]SoftwarePoliciesMicrosoftMMC{MMC snap-in GUID} and set the Restrict_Run key to 0, which represents enable (1 is disabled):

83

Identify the custom MMC snap-in GUID

The first step is to identify the custom mmc snap-in GUID. For the purpose of this example, we will use the snap-in SQL Server 2919 Configuration Manager. Begin by navigating to:

ComputerHKEY_LOCAL_MACHINESOFTWAREMicrosoftMMCSnapIns

Then locating and copying the custom snap-in’s GUID, which is the folder’s name:

{84a016c0-5617-4a05-ae8c-c806c5ff3e20}

82

Create a GPO with an update registry configuration

With the mmc snap-in GUID identified, proceed to create a GPO, navigate to User Configuration > Preferences > Windows Settings > Registry:

81

Create a registry configuration as such:

Action: Update
Hive: HKEY_CURRENT_USER
Key Path: SoftwarePoliciesMicrosoftMMC{84a016c0-5617-4a05-ae8c-c806c5ff3e20
Value name: Restrict_Run
Value type: REG_DWORD
Value data: 0

80

The policy should look as such once configured:

79

With the above policy created, have the user with this policy applied log off and back on to access the custom mmc snap-in.

4 Responses

  1. Hi Terence,

    Citrix Studio's GUID appears as FX:{147C3FB4-2709-47cd-8745-7D4962341189}. So the key to be created under HKCU will be just 147C3FB4-2709-47cd-8745-7D4962341189 or something else?

  2. I tested it without FX: but it did not work. Then tested with FX:{147C3FB4-2709-47cd-8745-7D4962341189}, it partially worked.

    First I got an error message and after I clicked OK, Studio opened up. The error message is "The snap-in below, referenced in this document, has been restricted by policy. Contact your administrator for details. Folder." The error message doesn't seem to be normal because I am explicitly allowing Studio even if "Restrict the user from entering author mode" and "Restrict users to the explicitly permitted list of snap-ins" are enabled.

    Please help.

  3. Sorry for the spam. I figured it out. For Citrix Studio, one more GUID corresponding to Folder snap-in needs to be created. That is {C96401CC-0E17-11D3-885B-00C04F72C717}.

    So two Keys under HKCUSoftwarePoliciesMicrosoftMMC

    1. Citrix Studio snap-in
    2. Folder Snap-in

    Both keys will have "Restrict_Run"= dword:00000000

  4. Wow! Cool, thank you very much man!
    Just working on a bunch of computers, which will be accessed by external app installers, I tired to restrict everything and this is a good catch!

    Cheers, Jim